Tuesday, July 03, 2007

Web shell? - why, how and where

Some folks asked me what else to do when you have a shell, well, it certainly depends on your shell privilege and specific target setup and configuration, there is no perfect universal way, only the best possible way.

Ok, there are simply too many stuff you can do, and I just list one I used a lot. My personal preference is to put a web shell on the target, so what is web shell? Some people called it web backdoor, it mainly provides
a set of functions to manipulate the target. Why do I prefer web shell rather than trojan or other backdoorings? Several reasons back me up, 1st) most of your target are web-based, (how many companies today don't have a website?) 2nd) most of these sites are on shared host, chances are these low cost host usually don't give out a shell, they do the whole thing pretty much via some hot GUI application, such as ispconfig, phpmyadmin, some built-in forums and blogging applications like phpbb etc. 3rd) it is relatively hard to be detected, traditional virus, worm, trojan will be caught very easily when the anti signature is up-to-dated. Well, you might argue web ids/ips have been developed and anti vendors started to include these web shell into the signatures, that is absolutely correct. But the point is they are not yet mature and very few companies are using them.

Then how do you upload a web shell? Again, it relies on the specific target, for blog, forum, CMS like applications, it is very likely that you can by the following techniques

  • change file extension - this probably won't work for the majority applications
  • obfuscation/encryption/encoding - simply to escape the application security check, be aware the after shell can still be interpreted.
  • injection - using "echo" to echo the content of your shell or some build-in sql functions to generate a new file, make sure to trim shell size, web server usually has length restriction (most likely 256)
There are a lot of other ways such as inject script into an acceptable file (such as gif, jpeg etc), I am not gonna list them here, (unless I am writing my book, hehe). Here are two good list of popular web shell, trade-off of popularity certainly means higher chance of being detected and killed.


Make sure you pick the right one or your effort will be dismissed. If you are not sure how to find out the target web server name and version, come back in a few days to check out my basic web server fingerprint tutorial, I will be showing you how to target these info.

No comments: